Thoughts on Personal Cyber Security & Privacy
Updated: May 28, 2021
Living in this technologically advanced world is a lot of work, with "tech" seeming to have more detriments than benefits. Everywhere you look, nearly everyone is getting hacked, pwned, or otherwise digitally violated... countries, hospitals, utilities, schools, elections, small business, large enterprises, etc., etc.. WTF has happened to humans! For those of us that remember the early 90's... it was so great, we spent time actually "living" instead of being servants to our digital overlords. However, having been an active technologist for decades I've picked up a few practices that have helped me over the years. These are just my opinions / practices and I don't pretend they will apply to others, but it could stir some productive thoughts on your part. Warning my incessant bloviating took over and the post is kinda long, but here's what we'll cover:
Zero Trust... huh!
"The nut behind the wheel"... no not me.
Mobile Phones... can I have my pager back.
Tablets... just a big phone.
Phone Numbers... who makes voice calls anyway now.
PC... nobody likes them but we all need one.
Internet Browsers... nearly only thing used on a PC now.
Firewalls... don't ignore them, I know you do.
Malware, Ransomware, Spyware, etc.... oh my!
Password Managers... don't be a loser.
Accounts, Profiles, and Services... we all have too many.
VPNs... really WTF!
Social Media... the cause of all the world's problems!
Random Last Thoughts... yeah finally!
Firstly, in my line of work, especially network & software engineering, we use the concept of Zero Trust, which I generally apply to all manner of things in life. Basically, block everything from access and only allow that which absolutely must be allowed. For instance, when I get a new PC, I uninstall everything that's not absolutely required to run the device (i.e. bloatware) and then only install what apps I absolutely need. This is a good first idea for you to embrace.
Car racing mechanics would say, the biggest mechanical problem with a car is the "nut behind the wheel"... which is you and I, the human operators, as we are our own worst enemy and generally the cause of most our tech troubles. Honestly, that Nigerian Prince is simply not going to give you a million dollars, if you send him ten-thousand, so just don't. Remember, security implications can't be permanent and life-changing.
Lets start with an easy one, your mobile phone. I'm going to get verbally flogged here... but unless you're forced to use a secure phone (ala Silent Circle), the everyday person should use an iPhone. Since the arrival of smartphones, many of us "techies" have found the same thing... iPhones are simply easier to secure and control. I'm not going to go into the deets on why, but I simply refuse to use anything other than an iPhone or a dumb flip (burner) phone. Here are some thoughts on iPhone security & privacy:
Your iPhone shouldn't be so old it doesn't support the current (IOS) operating system.
Don't install an app unless you absolutely need it. Besides built-in apps, I only have 11 on my iPhone.
Install apps from known and trusted sources with actual user reviews.
Don't utilize software that doesn't have an active US presence. Good luck trying to sue Russia, China, Venezuela, etc..
Turn off Wi-Fi when not using it. It can be used to track your movements and serve as an attack vector. My Wi-Fi is off as soon as I leave home. I'll burn more mobile data, but it's the price I've decided to pay.
Same with Bluetooth, turn it off while not using.
Also turn off Personal Hotspot while not actively using it.
Disable Background App Refresh. Why is this even a thing.
Disable Siri. Are you that lazy you need Siri. If so, you should probably stop reading this and go get a massage. 😲
Consider disabling Touch ID and/or Face ID and using a code instead. How many Law & Order episodes to you need to watch.
Disable Lock Screen access to features. I simply don't want anything on my iPhone to work unless I unlock it first.
Set your phone to "Require Passcode" Immediately and Erase Data after failed attempts. Don't forget your credentials... or you'll be screwed.
Consider disabling Home Automation apps and services. Are you that lazy, you need a phone to set your A/C or turn on a light. 🔥
Turn on the security settings in Safari to Block Pop-ups and tracking, and clear history and website data after each use. I clear mine at least twice a day.
Think about turning off your iPhone when not being used, like at night.
Disable Tracking and Location Services for everything you can, except critical System Services items like "Find My iPhone" and maybe Uber. Set things like Uber to "Ask" or "While Using". Most things simply do not need location tracking, do you really want your photos and other things GPS tagged.
Understand what "Find My" is... it's different from "Find my iPhone"... look it up.
Also think about disabling Share My Location and Advertising settings in Privacy.
Consider disabling permissions to all systems resources for each app that doesn't need it. I'm sure you've wondered why a photo app needs access to your contacts. Wonder no longer, it doesn't.
That's just a taste... there's way too much to go through, but you get the gist. The best approach is to grab a cold beverage, a few snacks, a comfy chair, and roll through every setting one by one until you've gone through it all and set to your preference. Remember, if you need help finding things, Google is helpful, just only use tips / help from reputable sites (i.e. apple.com for apple help).
So, what about tablets? Well, that's easy, and I'll doubly irritate the Android, Kindle, etc. crowd, but just like my position with iPhones, I'd simply never use any tablet that wasn't an iPad. The great thing... an iPad is essentially a really big iPhone, so privacy and security measures will be very similar. #MicDrop
Ok, on to phone numbers now. So, how the f@(& did those ten little digits that nobody actually uses to talk with anymore become such an important part of our identity? Because of this, they can be dangerous in the wrong hands. Think about it, why would you give the shady neighborhood take-out place the same code your bank uses to verify you. Crazy when you think about the security implications of it all! So, why not have two numbers... one for private life, such as family and financial needs, and another for casual stuff like restaurant reservations, stores, friends, etc.. Sure it may cost you a few bucks per month for a second line, but if you can afford it why not? My provider just charges $10/month/line, so not too bad for a lot of extra security. You do know that your shiny new iPhone has a Dual SIM capability using an eSIM right. So, now you can have two numbers on one device... cool! Plus, with two different numbers, you can silence one while leaving the other active... you know... avoid your BFF's drunken calls at 2am sobbing about failed relationships. 😢
Onto the venerable PC. A lot of blame for attacks is put on the PC, however, most issues are caused by that noted "the nut behind the wheel". That's you... not keeping things updated and secure. Also, you Mac people who think your PC is secure because "it's a Mac" absolutely kill me. You're not just uninformed & delusional, but totally ridiculous, especially given the era we're in. Yes, a Mac can be compromised just like a Windows PC. Honestly, the safest PC is one that's simply not used. So, when not using it, turn it off, as a powered-down PC isn't getting compromised, and saves electricity too. So, what to do? Some thoughts; firstly keep your OS fully updated. If the PC is too old to update, get one that isn't. Next remove any apps / programs you don't need. After that, disable background tasks and then disable add-on apps from launching at startup. There's no reason for your PDF or photo editor to run in the background at startup... just click the icon to launch when you need to use it. You can Google all these things for tips... remember, stick to results from proper places like microsoft.com for Windows and apple.com for Mac.
Now, just how does your PC usually get compromised? Well, in many cases it's from the Internet, generally through a browser or e-mail... which I'll bloviate on next. This doesn't mean your computer can't be compromised through a bad Wi-Fi router or other means... the Internet is just a common pathway to being compromised. Obviously, someone can compromise it directly, so be sure all users utilize strong & private passcodes. Other methods like USB drive attacks can occur, but among other things, simply; don't let shady people into your house, make sure your security system is enabled when nobody's home, and make sure your PC uses drive encryption.
So, Internet browsers... very useful, but also very dangerous. Like your PC, make sure your browsers are always fully updated. Having auto-update enabled is usually good practice. Next, know your settings. Don't just use the browser as is, go in and disable what you don't need or that which may have privacy and/or security implications. Also, consider removing any plug-ins or add-ons not directly needed. Sometimes you'll find that certain sites don't run well with certain settings. What I do is have at least two browsers on my PCs used for visiting websites. One browser I use for important, known, and trusted sites that are usually bookmarked and where the browser is less locked-down to be more website friendly. However, I do still dump history, cookies, data, etc. when it's closed. The other is used for general web surfing, news, shopping, etc., and is fully locked down just in case I visit a site that's been compromised... a locked down browser is less likely to succumb to attack then an open one. Like the first browser, I still make sure to dump all history, cookies, data, etc. when it closes to help prevent tracking and block security issues.
Right up there in danger with browsers is e-mail. Unfortunately, most users... again... "the nut behind the wheel" infect themselves by opening e-mails and attachments. I'm sure you know at least one person who's been ransomwared, hijacked, or compromised by opening a nasty e-mail. It's simple, if you're not expecting it and it's not from a known contact, why would you open it? Something to think about. Another thing... ever heard of "tracking pixels"? Ever wondered why places know when you open an e-mail? It's not mysterious, but actually quite simple. The sender adds a link to a tiny image within the e-mail so when it's opened, it pulls the image from a server who knows exactly which message it is and who opened it. The fix is easy though. Nearly all e-mail tools have a setting to "block remote image loading" or something similar... simply enable it to block, and whalla, no more notifying them when you view a message. Now it'll block other images like logos, etc., but your e-mail app should also prompt you in case you want to load them manually.
Given the serious risks of e-mail, probably one of the best e-mail security-related steps I've taken over the years is to use webmail tools on my PC. PC apps like Outlook have a long history, but if you accidentally open a bad e-mail or attachment, it has immediate access to your operating system. Whereas checking e-mail via a webmail client within a browser provides a level of abstraction... that is the browser. Webmail, e-mail in a browser, is just like any other site, and depending on your settings it can be harder to compromise your PC. See in webmail, messages are just web pages, and attachments are stored on their (webmail service) server as opposed to automatically downloaded to your PC. Generally like other website files, webmail attachments are only downloaded to your computer when you request them, and then they also have to deal with your browsers security controls. So, give webmail a thought. Lastly on e-mail, lets talk about your e-mail service provider. For free e-mail, if you're not using a recognized modern service like Outlook.com or GMail.com, I'd just ask why the heck not? If you are still using legacy AOL, Yahoo, or some version of and old phone company.. I just have to say really! For those that have their own domain, you should always use a first-class recognized player like Microsoft 365, Google Workspace / G-Suite, or Rackspace.
The last big topic for PCs is your security solution, which should always include firewall, anti-malware, anti-spyware, and ransomware protection. BTW, anti-virus should naturally always be a component of your anti-malware solution. Both current Windows and Mac versions have built-in firewalls, and using your Zero Trust thinking, you should have your firewall set to block ALL INBOUND connections and only allow outbound connections that are absolutely required. Oh, by nature, when you make an outbound connection, you implicitly allow related inbound connections along same / permissible connections... otherwise stuff wouldn't work... duh! You'd be surprised... I've found printer software, graphics software, and other things that were creating inbound firewall rules and wanting to connect outside of me interacting with their software... why? What's their agenda? What are they doing? With that noted, I have my sh!t locked down toight as a tiger and you should too.
Ok, firewalls, got it... but what about malware, ransomware, spyware, etc. protection... well, both current Windows and Mac OSes have varying levels of integrated security. Windows has "Windows Security" and Mac has Xprotect. Firstly, don't turn it off... that's just dumb. Secondly, don't expect it to protect you from dumb things you do. Ok, with honesty out of the way, and having seen both, I feel Windows Security is a much more comprehensive approach, and for the more diligent & responsible users, may be enough protection. For those with children or who are less evolved / responsible users, you should consider having a secondary solution. However, for Mac, I believe a secondary solution is good practice right out of the box. So, what to choose? A favorite in the IT crowd is a solution called MalwareBytes, which at this time in many cases can be configured to run side-by-side with the built-in solution giving you double protection. There are lots of options, but only choose something from a reputable player, well-know, who's been in the biz for years, and especially that's popular among cyber security and IT experts.
I've discussed password managers a lot in previous posts... on purpose... so I won't drone on further other than reminding you about a few things. Unless you are 100% Apple based and use their password management ecosystem for all your devices, you should be using an enterprise-grade and first class password manager, something like LastPass or 1Password. That way you can have a single system for all your devices whether Apple or Windows. Having passwords spread across devices or browsers is a recipe for disaster. IMHO, you should not use a browser to store passwords as most good password managers have browser extensions but still work within your ecosystem (mobile / tablet / PC / browser).
Now what about your accounts, profiles, and services. Well, there's probably more work to be done than you want to do, but lets give it a shot. Firstly, you should make a ledger of everything you have, just the basics obviously no passwords, but anything that use your phone number(s), e-mail address(s), or physical address. If you use Excel, it has encryption you can enable. Even though you don't have passwords on the ledger, there's still lots of personal info and it's better off encrypted. Oh, and just where would you store the password for that Excel file? Password manager of course... duhhh! After creating that ledger, then go through and close anything you no longer need. Why have your info floating out there open if you don't need it. Me, I know every account and/or service I currently have open along with everything I've closed since the Internet became public. Yeah, I'm a freak that way. Still regarding accounts... on the flipside though, be sure to setup accounts / services for potential points of compromise that you'd need anyways. For instance, if you use or intend to use Social Security, why not set it up before someone else (who's not you) does... identity theft happens.
Also, I'm sure you've heard of two-factor or multi-factor authentication (2FA / MFA)? Basically, it's the codes you get via TXT, e-mail, or app when signing into a service. They help... really... they do, so use it. Relatedly, also take precautions to ensure you're not locked out of your accounts / services. Most systems like Apple allow you to add a second "trusted" phone number and/or e-mail. Why not add your trusted spouse / partner / family member's number, with their permission of course. That way, if your phone is jacked, you can simply have them provide a code to authorize your account and setup a new one. Otherwise, good luck trying to prove your identity, especially on vacation in some foreign country. Speaking of that, again acknowledging I'm a tech freak... but while away on vacation, I bring an iPad (same account as iPhone) and leave it at hotel in case my iPhone gets damaged or jacked. As you know, basically and iPad is a slightly less connected iPhone, but it'll allow me to setup a new iPhone and provides immediate access to all my info, since they basically have same stuff (apps / iCloud / etc). Just try authenticating your US based account with Apple while you're in Europe with no way to prove it's yours... good luck with that.
We're almost there, but I need to talk about VPNs. It's amazing to me how a 90's era technology, and not a great one at that, is so prevalent today... mostly based on advertised paranoia. And this coming from captain paranoia. The uninitiated aside, personally I don't get why people use VPNs for personal use. Obviously, there are shady types out there using them for nefarious reasons, but the general public, seems weird to me. When I talk to VPN users, most don't even realize why they're using it other than someone said it was more secure. But is it really? Firstly, if using HTTPS in a browser (most modern sites are over HTTPS now) or TLS in quality software, the traffic should always be encrypted... so that's not a reason to use a VPN. Also, when using a VPN, your traffic is routed through the VPN provider's systems. Me, I'd trust the broadband company who has physical offices, hundreds of vans, and thousands of employees rather than a "tech" company that might be based out of Hong Kong, Brazil, or some other foreign location. Lastly, is DNS... you know... the names you type in your browser. If you're using a VPN, generally just the VPN provider would see them... but again, do you really trust them over your broadband provider. Are you comfortable having one entity see the names of ALL sites you visit? Me, again, I'd rather have my broadband provider see that... if someone is looking. However, a lot of the DNS stuff will be moot now as newer browsers support various forms of "secure DNS" which may also encrypt names. Lastly, if you have your mobile device connected to Wi-Fi which is connected to your broadband, none of the TXTs, e-mails, etc., are encrypted, so you're broadband provider would see it anyways. So, using a VPN for your PC and not your mobile defeats the purpose. The best rollout for a VPN is like what is generally used in business, where routers establish VPN connections to each other (site to site links) so all traffic between them, no matter what the device is encrypted. This use to be common in business to attach branch offices to a corporate network. With that noted, I haven't setup a VPN in well over a decade. So, if you are using a VPN, you should ask yourself if it is the best solution? Maybe you are happy... if so... good for you!
Last topic... honestly! #BeginSoapBoxCommentaryOnSocialMedia. in early 2020 I decided to end all the hate mongering, vitriol, lies, fake news, cancel culture, general horsesh!t, etc., etc., etc. I was exposed to daily via "social" media, and closed all my social accounts. It was all starting to feel rather unsocial and actually like multi-faceted indoctrination. I don't need some manufactured "celebrity" to tell me how to think, act, and live... so Instagram gone... Twitter gone... Facebook gone. One of the best things I've ever done. Plus, while I was always very careful what I put on-the-line, I just eliminated one of the most common attack vectors... social engineering.
So many people are compromised over what they put online... again "the nut behind the wheel". So, what do I tell others that want to "friend" me? I give them my e-mail and if they want my advice, suggest they make the world a better place, save themselves from themself, and delete all their social accounts. After that, go live life like a human... you know... outside with other humans, having fun and not beholden to the d-bag technology overlords who laugh at you as they rake in billions and control society like we're puppets on strings. Oh and those certain "social" parents out there, you know who you are, think about what you're doing to your children by posting their entire lives online for everyone to experience. You are effectively creating a future cyber victim. Until they become a reasonable adult, they can't make rational decisions, so it's up to you to make rational, logical, and good decisions for them. The Internet is forever, there are no take-backs... period.... full-stop... mic drop! #EndSoapBoxCommentaryOnSocialMedia 🔥😁
Ok, finally, are you tired yet? Think I'm a total d!ck or full of sh!t... that's OK, most do, but regardless, here are some last random thoughts: 😎
Practice safe web surfing. Stay off forums and other sites often compromised. Go outside for some froyo and a nice trail walk instead.
Have a good home security plan. I talk about this HERE & HERE.
Make sure all websites start with HTTS... noted the "S" at the end for secure.
Don't give children phones, there are safer alternatives like a Cellular Apple Watch via Family Setup, or even something like a 2-Way Satellite Messenger from Spot.
Don't use public Wi-Fi. I talk about Wi-Fi more HERE.
Understand implications of trackers like from Tile and Apple AirTags.
Only use encrypted flash drives, like Kingston IronKeys.
Don't let "apps" take control. I talk about them HERE.
TXT messages are not secure, so don't use for sensitive deets.
Unless you setup secure e-mail, e-mail is also not secure.
Beware of your "smart home". I talk about that HERE.
Unless needed, place "freezes" with the credit bureaus... they're free by law.
File your tax returns before a scammer does and bogarts your refund... it happens... a lot.
Back your sh!t up. I talk about that HERE.
Hope this post was at least entertaining... thanks for stopping by today! 🤠 Always feel free to e-mail me comments. You can find my info on the "Team" Page.
DISCLAIMER: I'm just a guy who's been around tech and knows some stuff. I always remind others that what I say is purely FWIW, IMO, FFT, FYI, and many other acronyms... so while I strive to convey quality deets... you get no promises on accuracy or validity. I'm sure a lawyer would say; information not guaranteed, actual results may vary, and use at your own risk.
Dave - IT/BA, Stocker & Watts, Inc.
Real Estate Reinvented | Sacramento CA